Privacy policies

Enterprise Holdings, Inc., through its independent regional subsidiaries (collectively, “Enterprise Holdings”) and the network of independent franchisees and compliance partners that operate the Enterprise Rent-A-Car, National Car Rental, Alamo Rent A Car brands, provides global reservation management and rental services. This site is for an authorized franchisee. For Enterprise Holdings' global data exchange and reservation practices, see the Global Privacy Policy of Enterprise Holdings.
For information about the authorized franchisee's privacy practices for this country, see below.

1. Objective

Define the general guidelines for the implementation, application, monitoring, maintenance and continuous improvement of the comprehensive corporate program for the protection of personal data in the operation of MASSY MOTORS RENTALS S.A.S.

2. General Considerations and Scope

MASSY MOTORS RENTALS S.A.S, identified with NIT 901.252.875 - 7, with main address at Avenida las Américas 23 N 44, Cali, Valle del Cauca, Colombia, hereinafter MMR or The Company, in its capacity as Data Controller, recognizes the importance of the security, privacy and confidentiality of the personal data of its workers, customers, suppliers, partners, business partners and in general of all its agents of interest with respect to whom it exercises Personal Information Processing. Therefore, in compliance with constitutional and legal mandates, it presents the following document containing its policies for the treatment and protection of personal data, for all its activities involving the processing of personal information of owners or interested parties in the national territory of Colombia.

3. Scope of application

This policy applies to all personal data processing activities carried out by The Company within the national territory of Colombia, as well as to the processing of personal data of data controllers located within the community framework of the European Union, hereinafter the Union, as well as to personal data processing activities developed or promoted by the Company that involve the transfer or deployment of information flows of a personal nature to third party Data Processors or Data Processors domiciled outside Colombian territory.

This document must be applied by all of the Company's collaborators, partners and suppliers.
Any person outside the Company who accesses or processes personal data subject to their responsibility or commission must express their knowledge of this personal data processing policy. Individuals or collaborators directly linked to the Company who access or process personal data subject to their responsibility or commission must express their knowledge of this personal treatment policy, as well as the Company's Personal Data Processing Manual.

4. Glossary

• Authorization: Prior, express and informed consent of the Interested Data Controller to carry out the processing of personal data. Consent may be granted in writing, orally or through unambiguous conduct on the part of the Owner to conclude that the authorization was granted.
• Privacy Notice: Verbal or written communication whose purpose is to fulfill the duty to inform the interested party about the activities, types of treatment, purposes and other aspects associated with the management of personal information.
• Database: Organized set of personal data that is subject to Treatment stored in manual or automated media, whose content includes information on clearly identified or identifiable natural persons (e.g. Worker Database, Provider Database, Customer Database, among others).
• Causaeniente: Person who has succeeded another because of their death (heir or legatee).
• Personal data: Any information linked to or that can be associated with one or more specific or determinable natural or natural persons.
• Private personal data: Those whose knowledge is restricted to the public.
• Public data: Data that is not semi-private, private or sensitive, which can be processed by anyone, without the need for authorization to do so. Among others, the data contained in the civil registry of individuals (e.g. if you are single or married, male or female) and those contained in public documents (e.g. contained in Public Deeds), in public records, and others, are public.
• Sensitive data: These are those that affect the privacy of the interested party or whose misuse may lead to their discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership in unions, social or human rights organizations or that promote the interests of any political party or that guarantee the rights and guarantees of opposition political parties as well as data relating to health, sexual life and biometric data, among others, the capture of a still image or movement, fingerprints, photographs, irises, voice, facial or palm recognition, etc.
• Data Protection Officer: Corporate role responsible for monitoring, controlling and promoting the application of the elements of the Corporate Personal Data Protection Program as well as their continuous and sustainable improvement in compliance with applicable regulations.
• Privacy designations by area: Role assigned to an official from each of the different areas of the Company, with the objective of supporting and coordinating with the Privacy Delegate the development of different internal activities and procedures for compliance with corporate and regulatory provisions on the protection of personal data.
• Profiling: Making individual decisions based on automated data processing, aimed at evaluating personal aspects or analyzing or predicting a person's professional performance, economic situation, health, personal preferences or interests, reliability, behavior, location or movements.
• Responsible for the treatment: Natural or legal person, public or private, who, on their own or in association with others, carries out the processing of personal data on behalf of the Data Controller. For the purposes of this document, it is understood as an ally or supplier that processes personal data within the framework of the execution of a contract or agreement in accordance with the instructions, guidelines and purposes defined by the Company.
• Public interest: Justification that motivates the processing of personal data based on one or more of the following events:
  • Treatments carried out by Authorities or Public Bodies in the exercise of their functions.
  • Treatments for purposes of public interest based on current legislation.
  • Treatments for historical, statistical or scientific research purposes.
• Responsible for the treatment: Natural or legal person, public or private, who, on their own or in association with others, decides on the database and/or its Treatment.
• Data subject or interested party: Natural or physical person whose personal data are subject to Treatment.
• Data processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or deletion, whether they involve all or any of them.
• International data transfers: Transfer of data to individuals, companies or other entities from third countries or international organizations not established in the national territory. In accordance with organizational guidelines, these transfers may be addressed to a Data Controller (international data transfer) or a Data Processor (International Transmission of Personal Data).

5. Regulatory framework

Applicable basic legislation

• Political Constitution of Colombia
• Law 1581 of 2012. By which the general provisions for the protection of personal data are dictated
• Law 1266 of 2008. By which general provisions of habeas data are issued and which regulates the management of information contained in personal databases, especially financial, credit, commercial, service and information from third countries, and other provisions are issued
• Single Decree 1074 of 2015. By means of which the Single Regulatory Decree for the Commerce, Industry and Tourism Sector is issued

Reference complementary legislation

• Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of these data and repealing Directive 95/46/EC (General Data Protection Regulation)
• Organic Law 3/2018, of December 5, Protection of personal data and guarantees of digital rights
• LSSICE - Law 34/2002, of July 11, on Information Society Services and Electronic Commerce
• Royal Decree 3/2010, of January 8, which regulates the National Security Scheme in the field of Electronic Administration

6. General principles, postulates and specific principles

6.1 General principles and postulates

MMR promotes the protection of rights such as habeas data, privacy, privacy, good name, honor and personal image. To this end, all actions will be governed by the principles of good faith, legality, computer self-determination, freedom and transparency.

MMR recognizes that its legitimate right to the Processing of the personal data of Data Subjects must be exercised within the specific framework of legality, the consent of the Data Subject and the specific instructions given by the Data Controllers when appropriate, seeking at all times to preserve the balance between the rights and duties of Data Subjects, those responsible and other processors linked to its operation.

Whoever in the exercise of their activity provides any type of information or personal data to The Company in their capacity as Processor or Data Controller, may exercise their rights as a Data Subject to know, update and rectify it, as well as to exercise the other rights conferred on them by Law 1581 of 2012 in accordance with the procedures established in the applicable regulations and this policy.

6.2 Specific Principles

The Company will apply the following specific principles, which constitute the rules to be followed in the collection, management, use, processing, storage, exchange and deletion of personal data:

• Lawfulness: Loyalty and transparency with the Owner or Interested Party.
• Limitation of purposes: Collected for specific, explicit and legitimate purposes and not subsequently processed in a manner incompatible with those purposes.
• Principle of freedom: The use, capture, collection and processing of personal data can only be carried out with the prior, express and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal, statutory or judicial mandate to relieve consent.
• Data minimization: Adequate, relevant and limited to what is necessary in relation to the purposes for which they are treated.
• exactitude: Updated without delay with respect to the purposes for which they are being treated.
• Limitation of the storage period: Maintained in such a way as to allow the identification of the Owners or Interested Parties for no longer than necessary for the purposes for which they are being treated, except if the Treatment is carried out exclusively for archiving purposes in the public interest or for historical, statistical or scientific research.
• Integrity and confidentiality: Implementing appropriate technical and organizational measures to protect data against unauthorized or illegal Processing and its accidental loss, destruction or damage.
• Principle of access and restricted movement: Personal data, with the exception of public information, may not be available on the Internet or other means of dissemination or mass communication, unless access is technically controllable to provide restricted knowledge only to the Owners or authorized third parties. For these purposes, The Company's obligation shall be of a half.
• Principle of safety: Personal data and information used, captured, collected and subject to processing in carrying out the activities of The Company, will be protected to the extent that technical resources and minimum standards allow it, through the adoption of technological protection measures, protocols and all kinds of administrative measures that are necessary to provide security to physical and electronic records and repositories, avoiding their adulteration, modification, loss, consultation, and in general against any non-use or access authorized.
• Proactive Accountability: Being responsible and able to demonstrate compliance with all the principles of the Treatment.
• Systematic incorporation: Personal data protection principles will be implemented and will radiate the interpretation of all MMR processes and procedures.

7. Status of person responsible and responsible for the processing of personal information of Massy Motors Rentals

The following are the scenarios in which the Company holds the status of Data Controller or Processor vis-à-vis the different types of Information Interested parties, depending on their ability to decide on the means or purposes of the processing of personal data:

In charge

MMR will act as Personal Data Processor whenever, for the development of its activities, it uses or processes personal information on behalf of a third party who holds the status of Data Controller for the data processed. Depending on the nature of the operation and the corporate purpose of the Company, the activities as Data Processor of personal data will be carried out mainly on the data of the users of MMR clients, whose information is entrusted for the provision of the services and technological capabilities contracted according to the offer of commercial services that constitute the mission purpose of the Company.

Although MMR has technical and operational autonomy for making decisions about personal information, it cannot decide or dispose of the databases themselves or the form of their Treatment, for example: deleting, sharing or disclosing the database without the consent or prior authorization of the Data Controller or the Data Subject. Therefore, it will be the responsibility of whoever holds the title of Data Controller to prove the existence of the duty to provide information, to manage consent, to prove the legal basis or legitimate interest on which the development of the personal data processing activities required for the full execution of the activities entrusted to the Company is based.

Responsible

MMR will act as the Data Controller of personal data whenever, for the development of its activities, it uses or processes personal information, directly managing the duty to inform the interested party, the consent, legal basis or any other event of legitimate interest applicable in accordance with the applicable regulatory provisions.

8. Record of personal data processing activities

In carrying out its mission, strategic, support and related activities, the Company carries out personal data processing activities against the following categories of owners and treatment activities, for which it holds the status of both Data Controller and Data Processor:

Record of processing activities as a controller

Customers

Customer categories

1. Customers: People with whom you have a business relationship for the provision of corporate services, requiring the knowledge of data of legal representatives and contact persons.

Types of data

1. General data regarding your age of majority, date and place of birth, age, sex, nationality.
2. Identification data such as names, surnames, DNI/NIF/identification document, signature.
3. Business contact details: address, telephone numbers, email.
4. Socio-economic data: economic data such as tax data, economic activity and credit card data, data necessary for service activation and billing.

Purpose of the treatment

1. Management of the commercial and administrative relationship of clients.

Legitimation

• Holders domiciled or resident in the Union:
  • Execution of a vehicle lease agreement.
  • Legal obligation.
• Holders domiciled or resident in Colombia:
  • Consent.

Categories of recipients to whom personal data were or will be communicated

1. Tax administration.
2. Banks and financial institutions.
3. Business partners.
4. Providers of hosting services or other technological services that support the technical capabilities of storing and processing personal information.

Expected deadlines for the deletion of data

1. Personal data will be kept for the period necessary to comply with the processing purposes, without prejudice to the fact that their storage is necessary to comply with legal obligations regarding document management.
2. Data processed to comply with regulations on the prevention of the risk of money laundering and terrorist financing will be kept for a period of 10 years.

International data transfers and warranty documentation

1. International transfer of data to partner companies for technological and administrative support purposes.
2. Destination countries: USA.
3. Basis of legitimation:
   • Union: legitimate interest (Art. 6.1 GDPR).
   • Colombia: consent (Law 1581 of 2012, art. 9).

Security measures
See paragraph 12.4.

Shareholders

Categories of stakeholders

1. Shareholders: people with equity interests in the Company, regardless of their percentage.

Types of data

1. General data on the age of majority, date and place of birth, age, sex, nationality.
2. Identifying data.
3. Private and business contact details.
4. Socioeconomic and tax data, direct debit of payments.

Purpose of the treatment

1. Management of commercial, corporate, corporate and statutory relationships.

Legitimation

• Union: prevailing legitimate interest, legal obligation.
• Colombia: Consent.

Recipients

1. Tax administration.
2. Banks and financial institutions.
3. Technology providers.

Data deletion deadline
Same deadlines as for customers.

International transfers
Same destinations and bases of legitimation as for customers.

Security measures
See paragraph 12.4.

Outfitters

Categories of stakeholders

1. People with a commercial contractual link for the purchase of goods/services.

Types of data

1. General (age, sex, nationality).
2. Identification.
3. Business contact.
4. Socio-economic (tax, economic activity, payments).

Purpose of the treatment

1. Management of the business relationship.

Legitimation

• Union: contractual execution.
• Colombia: Consent.

Recipients
Same as before.

Data deletion deadline
Same as before.

International transfers
Same details as above.

Security measures
See paragraph 12.4.

Employees

Categories of stakeholders

1. Employees with direct employment contracts.
2. Workers on mission via third parties.

Types of data

1. Generals.
2. Identification, image, voice.
3. Contact.
4. Socioeconomic and labor.
5. Bank employees (payroll).
6. Judicial record.
7. System credentials.
8. Sensitive data (health, disability).

Purpose of the treatment

1. Management of the employment relationship.

Legitimation

• Union: contractual execution, legitimate interest.
• Colombia: Consent.

Recipients

1. Labor and tax authorities.
2. Mutual funds, insurance, surveillance, HR.
3. Technology providers.

Data deletion deadline
Same as before.

International transfers
Same as before.

Security measures
See paragraph 12.4.

Visitors to company facilities

Categories of stakeholders

1. People who access physical locations of the Company.

Types of data

1. Generals.
2. Identification, image, video.
3. Contact (phone).

Purpose of the treatment

1. Physical security and access control.

Legitimation

• Union: prevailing legitimate interest.
• Colombia: Consent.

Recipients

1. Judicial authorities, security forces.
2. Surveillance, insurers, HR, technology providers.

Data deletion deadline

1. 30 days from collection.

International transfers
It is not done.

Security measures
See paragraph 12.4.

Business and work contacts

Categories of stakeholders

1. Business contacts (related to the company's activity).
2. Work contacts (employees or temporary employees).
3. Institutional contacts (entities or authorities).

Types of data

• Identification and electronic signature.
• Contact (private and commercial).
• Professional data (position, functions).

Purpose of the treatment

1. Communication with third parties related to the company's activity.

Legitimation

• Union: contractual execution (labor or commercial), legitimate interest.
• Colombia: Consent.

Recipients

1. Technology service providers.

Data deletion deadline
Same as before.

International transfers

1. Transfer to partner companies in the USA.
2. Union: legitimate interest (Art. 6.1 GDPR).
3. Colombia: consent (Law 1581 of 2012, art. 9).

Security measures
See paragraph 12.4.

9. Main scenarios and specific purposes of the processing of personal information

The personal data processing activities carried out by the Company are associated with the specific scenarios and purposes detailed below:

1. Purchasing and Procurement Management

a) Verify business and reputational backgrounds and risks associated with money laundering and terrorist financing.
b) Legally and commercially link the supplier or ally to the Company.
c) Formalize the contractual relationship and control the execution of obligations.
d) Evaluate supplier performance and results.

2. Human talent management and labor relations

a) Background check.
b) Evaluation and selection of applicants.
c) Verification of socio-economic elements.
d) Management before administrative authorities.
e) Registration in internal systems.
f) Management of payroll news.
g) Worker welfare and development.
(h) Training programs.
i) Occupational safety and health management.
j) Performance evaluation.
k) Disengagement procedures.
l) Development of operational tasks.
m) Application of internal regulations.
n) Monitoring the use of corporate tools.
o) Communication of semi-private information.
p) Information Backups.
q) Use of image and voice for corporate communication purposes.

3. Management of the commercial relationship with customers

a) Background check.
b) Registration in systems for commercial operation.
c) PQRS management and loyalty.
d) Marketing and market intelligence.
e) Participation in promotional events.
f) Business Intelligence.
g) Behavioral advertising.

4. Administrative Management, Governance, Risk and Compliance

a) Registration and access control.
b) Internal or external audits.
c) Environmental compliance, quality and information.
d) Legal obligations.
e) Allegations of malpractices.
f) Management of computer tools.
g) Judicial and extra-procedural actions.
h) Corporate obligations.

5. Accounting and treasury management

a) Registration of economic movements.
b) Generation of reports and indicators.
c) Submission of reports to authorities.
d) Validation of payments to suppliers.
e) Relations with State entities.

10. Request for authorization and consent from the interested party

10.1 Means and means of granting authorization

It details how authorization is obtained through privacy notices and physical, verbal or digital mechanisms.

10.2 Proof of Authorization

The test will be accredited according to the means of authorization:

• Request models.
• Unambiguous behaviors.
• Physical, digital or verbal evidence.

For sensitive data, express written acceptance will be required.

10.3 Obligations of third-party providers

a) Adopt a treatment policy.
b) Manual of internal procedures.
c) Service channels for owners.

10.4 Workers' obligations

a) Know and comply with this policy.
b) Safeguard data security.

11. Procedures for managing and responding to inquiries, complaints, corrections and updates

Consultations

The right to consultation and the detailed procedure (points a-e) for exercising it are described, including identity requirements, documentation, response times and support formats.

Complaints

Rights:

• Rectification
• Limitation
• Suppression

Additional rights (European Union — RGPD):

• porting
• Opposition

Claims Procedure

The steps of the procedure from submission, required documentation, identity verification, response times (10 and 15 business days) and format requirements are listed.

11.1 Channels enabled for the exercise of the rights of interested parties

• Address: Avenida 3 Norte No. 34 — 46, Santiago de Cali — Valle del Cauca
• Telephone: (602) 485 39 99
• Email: asistente.juridico@massygroup.com

12. Special provisions for the processing of personal data and accreditation of the principle of “proactive responsibility”

12.1 Identifying and updating the personal information cycle

Defined elements:

a) Processes that justify the treatment.
b) Channels and capture points.
c) Data repositories.
d) Internal users with access.
e) Output nodes and transfers.
f) Final provision of information.

12.2 Relationship with third parties

Requirements for related third parties and supervisory measures to ensure regulatory compliance, including action plans or termination of the link in the event of non-compliance.

12.3 Privacy Impact Assessment

Preventive procedure led by the Privacy Delegate to identify risks and take action. It includes evaluation:

a) In front of stakeholders.
b) In front of third parties.
c) In front of authorities.
d) Internally.
e) Risk management.

13. Information Security and Privacy Risk Management

Technical and organizational security is promoted to prevent unauthorized or illegal treatment.

Obligations:

• Data minimization.
• Technical and organizational measures depending on costs, risks, nature and context of the treatment.

13.1 Organizational Measures

• Defined roles: security officer, administrator, users.
• Obligations: confidentiality, password management, incidents.
• Diverse administrative procedures.

13.2 Technical Measures

• Physical security (access, fire, file cabinets).
• Image capture: location, conservation, access.
• Computer security, cloud, encryption, pseudonymization.

14. Comprehensive corporate program for the protection of personal data

Organic component

Defines administrative roles and assigns coordination and reporting to senior management to the Privacy Delegate.

Programmatic component

Define annual activities such as:

• Training.
• Support in legal/technical coverage.
• Internal control.
• Improvement actions.
• External and internal reports.

15. Video surveillance system

Protocol for requesting, reviewing and delivering information captured by cameras, ensuring custody and control of access to images.

16. Final provisions and validity

16.1 Changes to the Policy

The Company may modify the policy, providing five (5) business days in advance. The validity of the data is maintained as long as the legal and contractual purposes persist.

16.2 Validity

From: February 01, 2026

Enterprise Holdings Global Privacy Policy